Maybe a tried-and-true PRNG could be used seeded with sha256(server_seed || ":" || user_seed) or whatever) instead of that nonce-postfix-thingy that is implemented, which only changes a couple of bits (down to only one bit rougly every second time) of the sha256 input between rolls. I'm not saying this is a flawed approach (I clearly do not know this), just that it's impossible for me to be sure it's not (partly) predictable.